Sunday, February 25, 2007

OpenSSL and FIPS

As pointed out by Ben Laurie, the FIPS cert for OpenSSL is enabled again. Unfortunately, there are a number of large companies with financial interest in seeing this fail yet again. Conversely, there are number of large and small companies that'd like the FIPS cert to remain "alive".

All in all, I think it's a piss-poor process where testing and results (not just at NIST) can be swayed or delayed just because a external objection was submitted. If I was NIST (or the Wi-Fi Alliance), I'd be writing rules about spurious objections into the charter.